Drupalgeddon 2.0: Analyst’s Insight

Our monitoring systems identified a first-wave malicious campaign on April 12th, 2018, the same day that proof of concept code went public.

The Drupal core security team had earlier released security advisory SA-CORE–2018–002 on the 28th March. We released our blocking and detection rules a few days later meaning that Imunify360 customers were already protected by the time the campaign started.

October saw a new burst of attacks on this vector. Botnets located on thousands of IPs requested access to Drupal-based sites to upload a malicious payload. The chart below shows the activity levels for the past few months.

Recognition

Most connections were attempting to extract the server's Linux kernel version and user ID through this request:

node?q[%23][]=passthru&q[%23type]=markup&q[%23markup]=id;uname -a

Other payloads were seen with base64 encoding in the file sites/default/files/xv.php. Decoded, they look like a common file uploader: